A Guide to Passwords
AHS Computing
Why is this Important?
• Your password is your
key to everything
personal that exists
on the Internet (not
just your UWaterloo
resources)
• Would you be cavalier
about leaving your car
or house unlocked?
Hackers Want Your Password
• To spam people;
– If your email password is
the same as your bank
password and they have
your email password...
• To masquerade as you
• To embarrass you on
Facebook
• Money
• For Fun!
HOW DO
HACKERS
WORK?
Malware
• Malware is typically
installed by employing
different social
engineering techniques
which implore the user to
download a particular
“cool” but, in reality,
malicious application
•
•
•
•
Trojans
Keyloggers
Backdoors
Rootkits
• http://www.youtube.com/
watch?v=cvDFHgTHth0
Phishing
• From WikiPedia,
– “Phishing is attempting to acquire information
(and sometimes, indirectly, money) such as
usernames, passwords, and credit card details by
masquerading as a trustworthy entity in
an electronic communication.”
• Example:
– This method attempts to deceive the user to
divulge their credentials by mocking the
Facebook login page.
Example of Phishing
Hacking in Action
• http://www.youtube.co
m/watch?v=zBZrynm
d7cU&feature=related
Bruteforce
• The attacker
repeatedly attempts
the guess the user’s
password.
• This technique is
particularly effective
against users who
tend to use easy and
guessable
passwords.
Bruteforce
•
6 characters: 2.25 billion possible combinations
–
–
•
Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 0.0224 seconds
Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second:
0.0000224 seconds
10 characters: 3.76 quadrillion possible combinations
–
–
Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 10.45 hours
Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second:
37.61 seconds.
•
Add a symbol, make the crack several orders of magnitude more difficult:
•
6 characters: 7.6 trillion possible combinations
–
–
–
•
Cracking online using web app hitting a target site with one thousand guesses per second: 2.4 centuries.
Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 1.26 minutes
Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second:
0.0756 seconds
10 characters: Possible combinations: 171.3 sextillion (171,269,557,687,901,638,419; 1.71 x 1020)
–
–
–
Cracking online using web app hitting a target site with one thousand guesses per second: 54.46 million centuries.
Cracking offline using high-powered servers or desktops (one hundred billion guesses/second) 54.46 years
Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second:
2.83 weeks.
Facebook
• Personal Identifiable
Information (PII) as well as
general personal
information.
– Included in this category are
date of birth, home address,
and even the mother’s
maiden name
• Even social security
numbers can be
extrapolated from many
Facebook profiles, as
shown by researchers at
Carnegie Mellon University.
Facebook
• Is your Facebook
password the same
as your banking
password?
Tips and Techniques
HOW TO DEAL
WITH
PASSWORDS?
Passwords = Pain!
• We have so many
that we can’t keep
track
– We forget to update
– Difficult to come up
with effective ones that
we can still remember
– We procrastinate
changing them for
months, even years!
Keep It Simple
• Passwords don’t have
to be complex
• A few simple methods
can help make living
with passwords a little
easier
How to Choose Good
Passwords?
• No dictionary words, proper nouns or
foreign words
• No personal information!!!
Making a Good Password
• Your password should not include anything
remotely related to
•
•
•
•
•
•
the user’s name
Nickname
the name of a family member
Pet
Address
License Plate
Passwords
• Also, the password should not contain any
easily recognizable numbers like
• Phone numbers
• Addresses
• Other information that someone could guess by
picking up your mail
Worst Passwords?
Make a Compound Word
• Be aware, however, that this is much less
secure!
– It adds more security to capitalize the first
letters of the different words: "ballzonecart"
becomes "BallZoneCart".
• In terms of security, sheer length is
superior to a shorter but random mix of
numbers, letters and symbols.
Remove the Vowels
• Take a word or phrase and remove the
vowels from it.
– For example, "eat the cheeseburger"
becomes "tthchsbrgr".
• Replace vowels with numbers.
– Use Leetspeak as your guide. For instance,
"a" becomes "4" and "e" becomes "3."
Turn Letters into Numbers
• Think of a phrase or name for your password.
– Type that name using the numbers located on the
telephone number pad.
• The letters have now turned into numbers. It will make it
more secure to add a random letter or symbol as well.
• Substituting numbers for letters is called
Leetspeak.
– This technique is programmed into most password
cracking tools, making it slightly less secure.
• Remember to make this a component of a larger password or
compound pass-phrase.
Use Year and Month Plus
Letters
• Use the current year and first three letters of the
current month. Then add in your old password.
– In this case, your password might read
2012marJ8Ytf6!
• Next month, change it to 2012aprJ8Ytf6!
• Many users combine a date component inside a
larger password. This helps when the password
needs to change from time to time.
– date-only passwords are at higher risk to being
cracked than other choices.
Use a Book
• Choose a favorite passage out of a book
and use a word from the passage.
• For example, if your favorite book is "The Eye of
the World", by Robert Jordan, and your favorite
passage is the second paragraph on page 168,
use a word from that passage.
• You can use the word Draghkar. So you would put
2Draghkar168. 2 is the paragraph number and 168
is the page number.
Combine Passwords
• Have a couple
passwords you like?
• Put them together to
create a super
password
THE BEST
TECHNIQUE?
Passphrases!?!?!
• Take a sentence that
is easy for you to
remember
• Remember to include
the punctuation
Passphrases
• Length can be a huge advantage to
memorization. If your typing is fairly
accurate, consider large phrases from a
book, speech or movie, such as:
– "It was a dark and stormy night!"
– “Henderson has scored for Canada!"
– “These pretzels are making me thirsty!”
Passphrases
• Phrases are easy to memorize. The length
of a pass phrase has several advantages:
– The length can provide security even if
special symbols are not used. This can help
with sites that prevent the use of symbols.
– Make good use of punctuation and
capitalization to make a secure pass phrase
that complies with common password rules.
Securing Your Password
• Never write down
your password in an
obvious place
• Prof in RLS used to
write his password on
the back of his
keyboard
Guarding Your Password
• Never tell your
password to anyone!
• A leaked password
can lead to fraud
• Resist the temptation
to tell someone!
A Review
Passwords at UW
Requirements
Frequency of Password
Changes
• Every term! 
• In the business world,
every 72 days
• call 5475 example
Levels of Passwords
1. Personal
2. UW
3. Banking
QUESTIONS
OR
COMMENTS?